Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Pre-authentication command injection in Zyxel weblogin.cgi

IdentifiersCVE-2020-9054CWE-78· Improper Neutralization of Special…

CVE-2020-9054 is a pre-authentication OS command injection vulnerability in the weblogin.cgi CGI program used by multiple Zyxel NAS devices, and later also reported by Zyxel as affecting certain firewall products. On affected NAS devices running firmware 5.21, weblogin.cgi does not properly sanitize the username parameter during authentication handling. A remote attacker can supply crafted metacharacters in the username field via HTTP GET or POST requests and cause arbitrary operating system commands to be executed by the web server process before authentication completes. Although the web server does not run as root, the devices include a setuid utility that can be leveraged to execute commands with root privileges, so successful exploitation should be treated as unauthenticated remote code execution as root. Affected NAS products include NAS326 before V5.21(AAZF.7)C0, NAS520 before V5.21(AASZ.3)C0, NAS540 before V5.21(AATB.4)C0, and NAS542 before V5.21(ABAG.4)C0; unsupported affected NAS models include NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325, and NSA325v2. Zyxel also stated that certain UTM, ATP, and VPN firewall products running ZLD V4.35 Patch 0 through Patch 2 were affected through the same weblogin.cgi issue.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the target device. In practice this can result in full device compromise, including root-level code execution, installation of malware or botnet payloads, persistence, credential theft, modification of configuration, use of the device as a pivot or proxy, and disruption of NAS or firewall functions. The vulnerability has been exploited in the wild and has been used by botnet operators targeting internet-exposed embedded devices.

Mitigation

If you can’t patch tonight, do this now.

Do not expose affected Zyxel NAS or firewall management interfaces directly to the internet. Place unsupported or unpatched devices behind a security router or firewall, restrict access to trusted administration networks only, and block external access to weblogin.cgi and related management endpoints. Where immediate patching is not possible, disable remote administration, enforce network segmentation, and monitor for exploitation attempts and post-compromise indicators such as unexpected processes, configuration changes, or botnet activity.

Remediation

Patch, then assume compromise.

Apply Zyxel firmware updates for supported products. For NAS devices, Zyxel made fixed firmware available for NAS326, NAS520, NAS540, and NAS542; later advisory updates referenced patched releases including NAS326 V5.21(AAZF.10)C0, NAS520 V5.21(AASZ.3)C0, NAS540 V5.21(AATB.7)C0, and NAS542 V5.21(ABAG.7)C0. For affected firewall products, install the patched ZLD V4.35 releases provided by Zyxel for ATP, USG, VPN, and ZyWALL models. If a temporary hotfix is the only immediate option in the advisory, deploy it first and then move to the permanent firmware release. Unsupported end-of-life NAS models do not receive fixes and should be retired or permanently isolated from untrusted networks.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2020-9054MaturityPoCVerified exploit

This repository contains a proof-of-concept (PoC) exploit for CVE-2020-9054. The main file, 'zyfuq.py', is a Python script that attempts to exploit a command injection vulnerability in a web login CGI script. The exploit works by sending a crafted POST request to the endpoint '/,adv/cgi-bin/weblogin.cgi' on a user-supplied target URL, injecting a shell command via the 'username' parameter. The script disables SSL warnings and expects the user to provide the target URL as a command-line argument. The default command executed is 'ls', but the code is structured to allow arbitrary commands. The repository also contains a README.md that notes the exploit is incomplete, but the provided code demonstrates the core injection technique. No hardcoded IPs or domains are present, but the endpoint path is fingerprintable. The exploit is a network-based PoC and does not include a weaponized or fully automated payload.

darrenmartynDisclosed Sep 9, 2021pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Zyxel CommunicationsAtp100 Firmwareoperating_system
Zyxel CommunicationsAtp200 Firmwareoperating_system
Zyxel CommunicationsAtp500 Firmwareoperating_system
Zyxel CommunicationsAtp800 Firmwareoperating_system
Zyxel CommunicationsNas326 Firmwareoperating_system
Zyxel CommunicationsNas520 Firmwareoperating_system
Zyxel CommunicationsNas540 Firmwareoperating_system
Zyxel CommunicationsNas542 Firmwareoperating_system
Zyxel CommunicationsUsg110 Firmwareoperating_system
Zyxel CommunicationsUsg1100 Firmwareoperating_system
Zyxel CommunicationsUsg1900 Firmwareoperating_system
Zyxel CommunicationsUsg20-Vpn Firmwareoperating_system
Zyxel CommunicationsUsg20w-Vpn Firmwareoperating_system
Zyxel CommunicationsUsg210 Firmwareoperating_system
Zyxel CommunicationsUsg2200 Firmwareoperating_system
Zyxel CommunicationsUsg310 Firmwareoperating_system
Zyxel CommunicationsUsg40 Firmwareoperating_system
Zyxel CommunicationsUsg40w Firmwareoperating_system
Zyxel CommunicationsUsg60 Firmwareoperating_system
Zyxel CommunicationsUsg60w Firmwareoperating_system
Zyxel CommunicationsVpn100 Firmwareoperating_system
Zyxel CommunicationsVpn1000 Firmwareoperating_system
Zyxel CommunicationsVpn300 Firmwareoperating_system
Zyxel CommunicationsVpn50 Firmwareoperating_system
Zyxel CommunicationsZywall110 Firmwareoperating_system
Zyxel CommunicationsZywall1100 Firmwareoperating_system
Zyxel CommunicationsZywall310 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
zyxelNews
Jan 1, 2026
(Update) Zyxel security advisory for the remote code execution vulnerability of NAS and firewall products | Zyxel Networks

A remote code execution vulnerability in Zyxel NAS and firewall products' weblogin.cgi program caused by missing authentication, allowing OS command injection.

Read more
f5News
Nov 24, 2025
Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities | F5 Labs

A command injection vulnerability in weblogin.cgi affecting multiple Zyxel NAS products, allowing unauthenticated OS command execution.

Read more
the hacker newsNews
Jan 8, 2025
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A security vulnerability exploited by Mirai botnet variants to compromise devices and expand botnet reach.

Read more
vulncheck blogNews
Jan 18, 2024
7777-Botnet Infection Vectors

A vulnerability affecting Zyxel NAS devices, mentioned as a low-volume co-located service observed alongside 7777-Botnet infections (suggesting a possible but unconfirmed infection vector).

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware7

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2020-9054
NVD
nvd.nist.gov/vuln/detail/CVE-2020-9054
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Vendor Advisory
zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml
Third Party Advisory
kb.cert.org/artifacts/cve-2020-9054.html
Third Party Advisory
kb.cert.org/vuls/id/498544
Third Party Advisory
krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054